| | 220 | === Contexts and Proofs === |
| | 221 | |
| | 222 | An ABAC Context contains all the identities and assertions that are known in a specific authorization domain. Given a Context, a programmer loads the identities that are trusted to issue attributes and the attributes. A Context can load either of these from files or data chunks. In python and perl data chunks are strings/scalars while in C and C++ they are simple structs. IDs and Attributes export the {{{cert_chunk}}} method to support the translation. Here is an example of generating credentials and loading them into the a Context. This shows the A principal loading the ({{{A.friendly_admin <- A.friendly & A.admin}}} Attribute and then assigning {{{friendly}}} and {{{admin}}} attributes t identity B and C. |
| | 223 | |
| | 224 | {{{ |
| | 225 | import ABAC |
| | 226 | |
| | 227 | ctxt = ABAC.Context() |
| | 228 | |
| | 229 | a = ABAC.ID("A", 24 * 3600 * 365 * 20) |
| | 230 | b = ABAC.ID("B", 24 * 3600 * 365 * 20) |
| | 231 | c = ABAC.ID("C", 24 * 3600 * 365 * 20) |
| | 232 | |
| | 233 | attr = ABAC.Attribute(a, "friendly_admin", 24 * 3600 * 365 * 20) |
| | 234 | attr.role(a.keyid(), "friendly") |
| | 235 | attr.role(a.keyid(), "admin") |
| | 236 | attr.bake() |
| | 237 | |
| | 238 | ctxt.load_id_chunk(a.cert_chunk()) |
| | 239 | ctxt.load_attribute_chunk(attr.cert_chunk()) |
| | 240 | |
| | 241 | attr = ABAC.Attribute(a, "friendly", 24 * 3600 * 365 * 20) |
| | 242 | attr.principal(b.keyid()) |
| | 243 | attr.bake() |
| | 244 | ctxt.load_attribute_chunk(attr.cert_chunk()) |
| | 245 | |
| | 246 | |
| | 247 | attr = ABAC.Attribute(a, "admin", 24 * 3600 * 365 * 20) |
| | 248 | attr.principal(b.keyid()) |
| | 249 | attr.bake() |
| | 250 | ctxt.load_attribute_chunk(attr.cert_chunk()) |
| | 251 | |
| | 252 | attr = ABAC.Attribute(a, "admin", 24 * 3600 * 365 * 20) |
| | 253 | attr.principal(c.keyid()) |
| | 254 | attr.bake() |
| | 255 | ctxt.load_attribute_chunk(attr.cert_chunk()) |
| | 256 | |
| | 257 | }}} |
| | 258 | |
| | 259 | Asking the question is done using {{{ctxt.query()}}}. The following asks if b is an A.friendly_admin: |
| | 260 | |
| | 261 | {{{ |
| | 262 | # Same code as above to initialize the ids and load the context |
| | 263 | |
| | 264 | ok, proof = ctxt.query(a.keyid() + ".friendly_admin", b.keyid()) |
| | 265 | |
| | 266 | }}} |
| | 267 | |
| | 268 | The first parameter to {{{Context.query}}} is the attribute of interest and the second is the keyid of an identity. A tuple is returned holding (success, proof) where success is true if the identity has the attribute and proof is a list of abac statements that make up the proof. |
| | 269 | |
| | 270 | === Credentials and Roles === |
| | 271 | |
| | 272 | Credentials are the abstraction of ABAC statements and Roles are the abstraction of the terms of an ABAC statement. A Credential is made up of two Roles, a head and a tail that make the two sides of the ABAC statement. There are a set of accessors to parse the contents of a role, described in the [/browser/doc/API API docs], and roles are primarily of interest in printing and exploring the proof. |
| | 273 | |
| | 274 | Credentials are useful in communicating proof contents outside the program. In addition to {{{head}}} and {{{tail}}} accessors that access the Roles, a Credential has a {{{attribute_cert()}}} method that returns the exportable content of the assertion and an {{{issuer_cert()}}} that returns the issuer's X.509 certificate (sans private key). These outputs are chunks, useful for writing to files or importing into other contexts. The following code prints the proof of our earlier successful question and saves it to files. This is not exemplary python file handling, but the point is to see the accessors: |
| | 275 | |
| | 276 | {{{ |
| | 277 | import sys |
| | 278 | # Same code as above to initialize the ids and load the context |
| | 279 | |
| | 280 | ok, proof = ctxt.query(a.keyid() + ".friendly_admin", b.keyid()) |
| | 281 | |
| | 282 | if not ok: |
| | 283 | sys.exit(1) |
| | 284 | |
| | 285 | for i, c in enumerate(proof): |
| | 286 | print "%s <- %s" % (c.head().string(), c.tail().string()) |
| | 287 | open("./id%d.pem" % i, "w").write(c.issuer_cert()) |
| | 288 | open("./attr%d.xml" % i, "w").write(c.attribute_cert()) |
| | 289 | }}} |
| | 290 | |
| | 291 | |
| | 292 | |
